Bank of NY Loses Tapes With 4.5 Million Clients' Data 156
Lucas123 brings news that Bank of New York Mellon Corp. has admitted they lost a box of unencrypted data storage tapes. The tapes contained personal information for over 4.5 million people. From Computerworld:
"The bank informed the Connecticut State Attorney General's Office that the tapes ... were lost in transport by off-site storage firm Archive America on Feb. 27. The missing backup tapes include names, birth dates, Social Security numbers, and other information from customers of BNY Mellon and the People's United Bank in Bridgeport, Conn., according to a statement by Connecticut Attorney General Richard Blumenthal.
More importantly .. (Score:5, Funny)
Re: (Score:3, Funny)
Re: (Score:3, Funny)
Re: (Score:1)
Re:More importantly .. (Score:4, Informative)
http://www.peoples.com/online/help/0,,14408,00.html?cm_mmc=Peoples-_-incident-_-hp-_-whatsnew [peoples.com]
Re: (Score:2)
New Unit (Score:5, Funny)
-Grey [silverclipboard.com]
Re: (Score:2)
Unencrypted? (Score:5, Interesting)
Re:Unencrypted? (Score:5, Informative)
Re:Unencrypted? (Score:5, Informative)
The EU laws are more concerned with how you use the data than how you encrypt it. I can't speak for the rest of the EU, but the UK has the Data Protection Act which briefly states:
1. Data may only be used for the purposes for which it was collected. You can't ask me to fill in a questionnaire for market research purposes and then use my answers to crank up my life insurance premiums.
2. Data must not be disclosed to others without the subject's consent unless there is a legal obligation to do so. You can't sell my details to someone for marketing purposes unless I've said you can - but if the police come knocking demanding my data, that's OK.
3. Individuals have a right to access personal data, and may not be charged more than a nominal fee for this, subject to some exceptions. So I can write to you and ask what personal data regarding me that you store, but I can't write to the police and ask if they're carrying out an undercover investigation of me. (Well, I can, but they're not obliged to confirm or deny it).
4. Personal information may not be kept for longer than necessary.
5. Personal information may not be transmitted outside the EEA unless the individual has consented or "adequate" protection is in place. (Your company would probably be fine if they signed a contract saying "Regarding all data you send us, we shall store and process it within the law laid down by the EU", but IANAL).
The data protection act is one of the most misunderstood laws in the UK - it's been used as an excuse to avoid doing anything by all sorts of entities in cases where it's plainly irrelevant. Which is odd because it's one of the few laws which come packaged with a set of plain-English guidelines explaining what it's trying to achieve.
Re: (Score:2)
Just because the police come asking for the data does not mean it's legal or that you're under obligation to give it. You would definately want to see some legal paperwork first.
Re: (Score:2)
Here's the deal, US corporations will do the absolute least to spend money on protecting data. The fines are low enough to simply not matter and there is no indication that their business suffers much of a hit.
The only way
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:2)
Under HIPAA, encryption is not required but is "addressable", which means you've got to at least do something just as good and document how it's at least as good and why you're using it instead.
Many breach laws exempt you from disclosure requirements if you stored the data encrypted.
The Payment Card Industry's private sector regulations for credit card data require it to be stored in some kind of obscured form, with crypto b
Re:Unencrypted? (Score:5, Informative)
Re: (Score:1, Funny)
Don't you think they use their own bank?
CAPTCHA "Contempt" is somehow appropriate.
Re:Unencrypted? (Score:4, Insightful)
Re: (Score:2)
Releasing the manager's info doesn't hurt the company, so where's the punishment and the incentive to guard that data more carefully? This certainly would.
Too harsh? Can't ensure that data you collected won't get stolen? Then don't collect it.
God Bless America (Score:2, Funny)
So when is the bank declaring bankrupcy (Score:2, Interesting)
Re:So when is the bank declaring bankrupcy (Score:5, Insightful)
It wouldn't work. The Fed and possibly Congress themselves would bail the banks ass out to "protect our financial stability" or some other nonsense.
When you're a big corporate entity in America, you don't have to worry about such trivial things that would put the little guy without the Government connections out of business.
Re:So when is the bank declaring bankrupcy (Score:4, Interesting)
or skip to:
http://en.wikipedia.org/wiki/Bank_run#History [wikipedia.org]
If 4.5 million people is only a fraction of the data the bank had (assuming all data they have is equal to the amount of people they cater to) then if say 20,000,000 people withdrew their money, they'd be fucked, even if they only withdrew $200
Especially considering the decline of the USD, granted, it probably wouldnt lead to a major event like the 'Great Depression' (although its possible) but it would kill that branch, break some bird eggs, make an omelet, etc.
If the "Government" bailed them out (which would technically be the bank giving the government money to bail the bank out) the USD would plummet even further to probably mere tens of pennies.
Re:So when is the bank declaring bankrupcy (Score:4, Interesting)
Re: (Score:1)
Re:So when is the bank declaring bankrupcy (Score:5, Insightful)
That's nice for it. The question is how liquid are those assets and how much cash can it actually get its hands on at short notice. As banks in Britain have noticed, assets just ain't worth what they were.
Re:So when is the bank declaring bankrupcy (Score:5, Insightful)
It's not just a matter of asset liquidity, but also of quality and mark-to-market value. Right now the issue is of toxic mortage securities that may be on the books at face value but in reality are worth who knows what. Thanks to the repeal of the Glas-Seagal act, there's nothing stopping commercial banks like Bank of NY from making the same stupid decisions as investment banks like Bear Sterns, and who wants to bet that the commercial banks know the markets any better than the investment banks (I'd have assumed the opposite).
Two different things. (Score:2)
This thread was about a run on the bank by the depositors. Two completely different things and I stand by original statement.
Re: (Score:2)
Re: (Score:2)
At risk of sounding like someone who's going to turn this thread into an endless tar baby thing....
A bunch of folks pulling out a few thousand at most will not have the effect of a trader losing billions at one shot, if any. That's my point, basically. Otherwise, I'm right with you.
And I promise to stop posting to this thread :) - and I'll concede, that more than likely, I'll read something in the Economist that'll back you up completely (American Laws and everything) and I'll feel like a complete
Re: (Score:2)
Inflation is the only resolution, well, I suppose if worse came to hell, The Department Of The Treasury, could simply say "alright, that money is no longer legal tender anyways" and switch to something else.
As a side note:
"The company [BNY] has annual revenues of about $13 billion, and pro-forma market capitalization of about $50 billion.
It also ser
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Insightful)
It has over 100 Billion dollars in assets.
Keep in mind that depository accounts at a bank are considered the bank's _liabilities_. A bank's outbound loans are their assets.
So if you go in and attempt to withdraw your money on deposit, and they pay you with an asset (other than cash on hand), they'd have to somehow give you a note - an IOU, where someone owes the bank money. That doesn't work too well.
If you don't think bank runs exist today, you need to just look back 2 months ago, to the Bear Stearns failure. [wsj.com]
Re: (Score:2)
If shit hits the fan, what are you going to do with your little piece of plastic? Well, I suppose you could maybe chop your food, wait... what food?
Re: (Score:2)
If you want to store your money at home, buy precious metals.
Re:So when is the bank declaring bankrupcy (Score:4, Informative)
Re: (Score:3, Interesting)
:-) Just thought that wording was interesting!
Re: (Score:2)
Here, 9% of a banks assets have to be "immediately liquide". With "immediate" meaning a few hours to a few days. Technically this means that banks have accounts with each other, holding those precious 9% in daily due accounts.
So it is in theory possible to make this happen again, but you'd have to run ALL the banks, at once. This is fairly unlikely. People with money (because, well, who
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:2)
If a set of backup tapes belonging to the Bank of New York fell into the hands of Archive America without BNY's knowledge or approval, then there's something even more horribly wrong than we first imagined.
If I borrow your car from you, then hand the keys over to some random drunk guy I meet in a bar, would you still say it's my fault when your car gets wrapped around a tree?
Re: (Score:2)
Frankly, I would sue you, the drunk guy, and just to be sure, the tree.
One presumes, though that BoNY did proper due diligence in researching their archiving company, and a slipup like this from the archiving company is completely unexpected. But BoNY is still to blame for not encrypting their data, and Archive America is to blame for
Re: (Score:2)
You know what they say about presuming... It makes a pre out of sue and me.
Or something like that.
Personally, I blame Canada.
Re: (Score:3, Insightful)
Of the 4.5 million people, only about 450k will notice it at all. And I think I'm taking an optimistic guess here.
Of those 450k, only 450 have the money and the guts to actually sue a bank.
And then some federal bullshitmaker (senator, congressman, I'm not firm in those things concerning the US) steps in and proposes a bill that whitewashes them retroactively (to "protect the economy" or some other BS) which passes unanimonously because it's tacked to something like fl
Stupid (Score:1)
Re:Stupid (Score:5, Insightful)
This is (just) showing up the way business is done everywhere - on the cheap.
On the surface, all companies go to the trouble to look good - glossy ads, well appointed offices, important landmark locations, etc. But often, just like in a restaurant, out the back it's all dim lighting, rusty hinges, paint peeling off walls etc.
Now I'm not saying all companies, but companies of a certain culture. The rest of this comment was going to be total flamebait so I'll leave it there.
Re:Stupid (Score:5, Insightful)
Re:Stupid (Score:4, Informative)
Meh (Score:3, Funny)
Re: (Score:3, Insightful)
Re: (Score:2)
I think you just described most of the people in management in American corporations. I hope the number is better elsewhere, but I doubt it. Until we stop chug-a-lugging the "stupid people can manage anything without knowing anything about it" Kool-Aid we're going to keep suffering the same failures. How long can America survive when the smart people stay on the sidelines building wealth
Re: (Score:2)
Re: (Score:2)
Re:Trying to find a cube I would want to call home (Score:2)
Our warehouse manager has a degree (or was just a few credits shy of it) in graphical design, and has just decided to go back and work on software development after we've talked about the lack of people who h
Re: (Score:1)
Re: (Score:2)
Digital leakage is getting to be more like (Score:4, Interesting)
So what exactly is homeland security about? Its obviously not about protecting US citizens.
As a government body, shouldn't homeland security be involved in helping to prevent such digital leakage, even if just setting down the rules to follow and pursuing violators of the rules?
Re: (Score:3, Interesting)
Re:Digital leakage is getting to be more like (Score:5, Insightful)
FTFA:
"he [Blumenthal] said that he is pressing the bank to explain how some backup tapes disappeared while others on the same van arrived intact at the Archive America facility."
It's not a situation where it all got sent to the wrong place, or trashed accidentally, it was (what I would consider) obvious and intentional theft.
However, that doesnt mean that it was intended to be sold as a "bundle" on the Black Market, it could just have easily been some disgruntled worker with no real "plan" other than to fuck with the company, or even just get one individuals information from the 4.5 million (although I would likewise assume the former, Black market)
Re:Digital leakage is getting to be more like (Score:5, Insightful)
Let's say that one out of 100 accounts gets pilfered lightly - says $100 is mysteriously transfered. That's $4.5 million. Let's say that another 1 out of 100 has their info used to produce fake IDs, and those IDs are sold to illegal immigrants/terrorists/underage college kids/whomever for $500 each. That's $22.5 million.
So, close to $27 million if you only abuse 2% of the victims.
What absolutely blows my mind is that if a bank transfers $4.5 million, they use multiple armed guards driving an armored truck. When they transfer 4.5 million customers' worth of data (worth presumably more than $1 each), they use
$4.5 million of the bank's money goes missing in a armored car heist, it makes national news immediately, and stays on for weeks. 4.5 million people have their information stolen, and the bank says
Re: (Score:2)
Archive America? Does anyone know what kind of security measures these jokers take?
[...]
Re: (Score:2)
If someone steals that $4.5m, they're out $4.5 mil and STILL own their marks^Wcustomers money. If someone steals 4.5M identities, chances are, they actually MAKE money in the end 'cuz the bastards aren't gonna take your side if your identity gets stolen and you can't get a car loan anywhere under 10% interest!
Re: (Score:2)
<paranoia>
<humor>
Dear Mr 3seas:
Thank you for your interesting suggestion. While it is true that we here at the DHS have done a marvelous job leveraging fear to create a humungous, overprotective nanny institution, we have not yet been entrusted with protecting the private banking details of everyday Americans. Unless you can provide some information that links this event to terrorism, (eg, the comprimised accounts are filled with terrorist funds, terrorists stole the tapes,
Always... (Score:2, Interesting)
Re: (Score:2)
It's important to remember things such as this when the usual brainwashed-by-Fox conservatives say stuff like: "if you've nothing to hide, they why are you worried about privacy".
Things such as this are always a lousy counter-argument to that.
I can thing of plenty of other things to say. Like "What are your bank details?"
"How do you feel about your mother in law?" (ask when their spouse is within earshot)
"How much do you spend on golf clubs?" (again, ask when their spouse is within earshot)
Though to be fair, IME most people of the "nothing to hide" mentality are already so far down that road that they're way beyond reason.
really? again? (Score:3, Interesting)
Re: (Score:3, Interesting)
Re: (Score:3, Insightful)
Events like this seem to have become a near-monthly event. I would've thought banks and credit card companies and thier ilk would have learned thier lesson the first time something like this made news and started at least encrypting this stuff. Or at least the second time it happened. Or the third, maybe if we're cutting them a lot of slack. Yes, it's expensive and yes it's hard work, but it'd be less expensive than a potential 4.5 millian lawsuits and less work than the PR mess that they now have to clean up.
Maybe they haven't learned because none of these incidents have yet resulted in the "4.5 million lawsuits" you're talking about.
Re: (Score:2, Interesting)
My point was simply that it would seem prudent to plan for worst-case senerios. I would think that profit-seeking entities would someday learn how profitable risk management can be, in the long run.
Yes, I'm also aware "the long run" doesn't seem to be in our current corporate culture's lexicon. Hmm... it's possib
Re: (Score:3, Funny)
Sorry for not revealing too many technical details. I'd hate to give a criminal too much to go on.
The Responsible Thing (Score:4, Funny)
Amazing how rarely this happened until recently .. (Score:1)
Re:Amazing how rarely this happened until recently (Score:4, Insightful)
It wasnt till recently that millions of peoples records was held on digital/analog media. Most things were still carried out via paper and pen which made the loss of millins of peoples data require dumptrucks.
It wasnt till around 2001 or so that things really became "online". And these things are only going to happen more and more frequently now, because as much scare as there may be when this stuff hits the news, it doesnt overrides peoples inherit laziness "oh a few clicks? fuckin A"...
Most people with a lot to lose (millions/billions of dollars), still do not do transactions via digital media, certainly not in an outgoing direction. Until they are hit, this probably wont change no matter how frequently it happens.
Somewhere in Archive America's... archive (Score:2)
la la la...
trip...CRASH!!!!
uh-oh, spageddios!
(Back at the bank of NY)
wah wah wah waaaaaah.
I am one of the people affected (Score:5, Interesting)
This page has changed since Thursday. Originally it was only one incident, now it's two. The letter said that I'd get 1 year of credit monitoring at all 3 bureaus, free; when I signed up, I was given (and the page above) two years. The letter said there was no indication that the information had been used, but it also didn't mention what the summary here says - that SSNs and birthdates were on those tapes (I assumed they were).
What really pisses me off isn't that it happened - it's that it took them three fucking months to inform me.
I have 2 accounts with them (for the same employer, which is really stupid). One account requires my SSN, the stock ticker, and a 6-digit PIN. Digits only. Not terribly secure - there's only 10^6 possible PINs, my SSN may be in someone's hands, and there are only a couple thousand stock tickers. The other is a seemingly random ID and a 6-31 digit PIN. My previous PIN was 12 characters. The new one is 31.
I reset both my PINs Thursday night, which took about half an hour - the sites, while not normally speed demons, were obscenely slow that night. I'm hoping it's because people were changing their PINs.
Re:I am one of the people affected (Score:5, Insightful)
TFA has a lot of information which wasn't given to customers in the letter. The tapes were unencrypted? I can believe that. I kind of assumed it, which is a sad state of affairs. There were names, DOBs and SSNs on the tapes? That I can believe, and assumed, but like I posted above, it wasn't made known via the notice that was sent out.
But how the hell can this guy say "that none of the unencrypted data has been accessed or used?" That's impossible for them to know. The tapes are out of their physical control - the people in possession of them now could have skimmed all those records off already, and just haven't used them yet.
The article doesn't mention the $25K of "insurance" that we get by signing up with the free credit monitoring. Except I'm an NY resident, and by NY state law they can't offer such insurance to me. WTF?
So here I sit, having managed to go 30 years with a lone incident of a "guessed" CC number as my only brush with identity theft, and now I'm left to be looking over my shoulder for the next several years thanks to this.
When will business listen and stop using SSN? (Score:3, Informative)
Oh well, too late now.
Re: (Score:3, Informative)
Not that there aren't plenty of other ways of stealing people's identities but at least the government is impeding one of the easiest.
Re: (Score:2)
So even if they weren't using your SSN for your ID number (which, as I noted in my earlier post, they do sometimes) they'd still have your SSN in the data that was compromised.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Basically, it's your serial number, and its purpose is to allow the government to more easily control every aspect of your lif
That's fine - just pay reasonable compensation (Score:3, Interesting)
Transport ONLY Encrypted Media (Score:2)
Of course these people's life data is no different: the bank is responsible for protecting it. S
Its Inevitable ... (Score:2)
Re: (Score:2)
"in-line" encryption appliances. Tape specific devices, etc.
I'll let you in on HOW they work -- each tape is labeled and barcoded. The barcode/label is scanned, automatically by the tape device. This causes a key to be generated and stored on a key server ("security appliance"). The key is associated with the label. The key is used by hardware to encrypt the data (using AES-256 or better).
The security appliance is FIPS-140 B certified (tamper evident). Also, the key can be centrally destroyed, r
Re: (Score:2)
WHY unencrypted? W (Score:2)
WHY don't all those centralized-configuration-managing IT departments check the FileVault or the BitLocker checkbox on every laptop that comes in the door?
That fancy automated remote configuration-management software keeps everyone's internal purchase-requisi
Re: (Score:2)
2. Encryption costs money, if not for the software, then in process overhead, training, etc.
3. There's no compelling reason (e.g. massive fines) to do so.
Forged tape records? (Score:2)
Re: (Score:2)
"Lost In Transit" my lily white ... ummmm ... (Score:2)
Data tapes, which are an archive firm's bread-and-butter, do not just "go missing". It just doesn't happen, folks. This data was stolen, sure as I am sitting here.
This archive firm should be held accountable, and so should the bank. I mean BOTH held FULLY accountable, if any of these people are ripped off. Heck, even if each of them is only held 50% accountable, I will be satisfied... as long as there are severe punitive damages as well as actual damages.
I disagree. (Score:2)
But even if it turns out that is was not currently a criminal act, it was certainly an act that was grossly negligent, and they should be held accountable for that.
I can agree on that... (Score:2)
Those backups weren't worth a damn? (Score:2, Insightful)
---
If that is truly the case, then those tapes wouldn't have been worth a damn for restoration if there had been a disaster.
Re: (Score:2)